oss-sec mailing list archives
Re: CVE Request: CSRF in Grails console
From: Dario Bertini <berdario () gmail com>
Date: Wed, 3 Aug 2016 00:57:25 +0100
Thanks On Tue, Aug 2, 2016 at 11:43 PM, <cve-assign () mitre org> wrote:
It is possible that a behavior like this could have its own CVE ID if it is undocumented or interacts incorrectly with run-app. For example, http://docs.grails.org/1.3.9/guide/single.html#6.4.5%20Mapping%20to%20HTTP%20methods says "the HTTP method (GET, POST, PUT or DELETE)." Do you mean, for example, that the OPTIONS or TRACE method can allow access, but the documentation suggests that only GET, POST, PUT, and DELETE need to be anticipated?
Nothing that fancy (I actually forgot about the HTTP method mapping you linked to...) The template code dropped by `grails create-app` is the same one you can see here: http://docs.grails.org/3.1.1/ref/Plug-ins/URL%20mappings.html ``` "/$controller/$action?/$id?"{ constraints { // apply constraints here } } ``` This code is then kept by Grails programmer, who only rarely add more constrained mappings to this file, and instead relying on "convention over configuration". That is: they add controllers, and every non-private Closure/method defined in such controllers is accessible via any HTTP method, unless the snippet above is not removed. You can easily find demonstrations that this happens in real code: The same Grails Console plugin https://github.com/sheehan/grails-console/blob/88b1bb2/grails3/app/grails-app/controllers/UrlMappings.groovy (note that in fact their fix requires a CSRF token even for GET requests) The reference app for the Grails in Action book: https://github.com/pledbrook/graina/blob/fe1feca/hubbub/grails-app/conf/UrlMappings.groovy#L16-L20 ( There are even people that proposed custom annotations to provide a mechanism to constrain the methods closer to the actual method/function definition: http://burtbeckwith.com/blog/?p=80 ... I'd say that this is a simptom of how there are several ways to constrain HTTP methods for each controller, and yet none of these is truly used universally)
Current thread:
- CVE Request: CSRF in Grails console Dario Bertini (Aug 01)
- Re: CVE Request: CSRF in Grails console cve-assign (Aug 02)
- Re: CVE Request: CSRF in Grails console Dario Bertini (Aug 02)
- Grails Console is still vulnerable to CSRF CVE-2016-6521 Dario Bertini (Aug 03)
- Re: CVE Request: CSRF in Grails console cve-assign (Aug 02)